Users who misspell the address of a popular website are being targeted by adware. The particular typo identified in this adware campaign involves typing “.om” instead of “.com” at the end of the URL. Typically, such a typo would take users to an error page. However, the “.om” domain is available to register and malicious actors are taking advantage of such small mistakes.

Researchers at Endgame, a network security provider, first identified this problem earlier this month. The highly anticipated season premiere of House of Cards made its debut on popular streaming service Netflix and one of their users mistyped “www.netflix.com” as “netflix.om.” The user was taken to a website that asked him to update his Flash software and featured a number of pop-up windows trying to coerce him into downloading the fake Flash update. 

When they analyzed the website they found that it adapated its attack based on the user’s operating system. The fake Flash update was a cover for adware which installs itself into the user’s browser and inundates them with pop-up ads, slowing down the performance of the computer and hindering the user experience. The researchers found a spike in domain registrations ending in “.om” from last month and that malicious actors are targeting popular domain names which are likely to be visited and, subsequently, misspelled. The “.om” domain is related to the country of Oman located in the Arabian Peninsula. Its domain name is simply a match for a common misspelling of “.com.”

This adware campaign is a form of typosquatting. Typical cybersquatting involves users registering website domains under someone else’s brand and targeting internet users who visit the address expecting an official site for the brand. Typosquatting targets users who misspell a popular website name, such as Gooogle.com versus Google.com. While it’s not a new form of targeting users, this “.om” campaign appears to be a focused effort leveraging a simple user mistake to infect them with adware.